Channel ID is a Transport Layer Security (TLS) extension for providing client side authentication in a more secured way. Traditional client side authentication attached client certificates in plain text during the TLS handshake, which has led to several identified vulnerabilities and security concerns. Channel ID uses a more secured method to send a client side identifier to a server, only allowing the real client to issue the same identifier with the correct signature.
When doing secure socket layer (SSL) inspection, a simple way to intercept a connection using Channel ID is to drop the usage of Channel ID into the ClientHello communication, leading to a less secure connection. To properly support Channel ID during SSL inspection, a method is needed that allows for sending a unique identifier with a correct signature to a server that represents the real client. However, the original identifier cannot be forwarded because there has been no previous method developed to generate the correct signature, due to the private key being owned by the real client, which is un-interceptable when performing a man-in-the-middle interception.
A previous solution was to maintain a local mapping between real identifier and fake identifier. However, a cache is needed in this solution for storing identifiers. The disadvantages of this solution were over-complexity in maintaining the local cache; poor scalability, as syncing the cache between appliances was expensive and complicated; and the total amount of TLS connections intercepted was limited by cache size. There was no unlimited storage; the cache itself will eventually run out of space. Once the available space was used up, at least one old record would require to be flushed in order to store the new record, creating a security hole. What is needed is a better solution without existing limitations to support the Channel ID extension in a TLS connection.